update

2025-12-10 17:42:50 +00:00 · 2024-08-24 17:00:53 +08:00 · 2024-08-24 17:00:53 +08:00 · 59fc0987b0
commit 59fc0987b0
parent c9d8240b91
10 changed files with 18 additions and 33 deletions
--- a/README.md
+++ b/README.md
@ -1,6 +1,6 @@

 <div align="center" >
-    <img src="https://images.gitee.com/uploads/images/2021/1109/164354_0aafe3d2_892944.gif" />
+    <img src="https://www.crmeb.com/static/images/dark_logo.png" />
 </div>
 <div align="center">

@ -13,7 +13,7 @@ CRMEB开源商城系统PHP版
        <img src="https://img.shields.io/badge/Licence-apache2.0-green.svg?style=flat" />
    </a>
    <a href="http://www.crmeb.com">
-        <img src="https://img.shields.io/badge/Edition-5.2-blue.svg" />
+        <img src="https://img.shields.io/badge/Edition-5.4-blue.svg" />
    </a>
     <a href="https://gitee.com/ZhongBangKeJi/CRMEB/repository/archive/master.zip">
        <img src="https://img.shields.io/badge/Download-240m-red.svg" />
@ -45,7 +45,7 @@ CRMEB开源商城系统PHP版
 ### 📋 更新说明


-点击查看<a href="https://doc.crmeb.com/single/v53/12202" target="_blank">更新记录</a>
+点击查看<a href="https://doc.crmeb.com/single/v54/14013" target="_blank">更新记录</a>


 ### 用心做开源，我们也很需要你的鼓励！右上角Star🌟，等你点亮！
--- a/crmeb/app/Request.php
+++ b/crmeb/app/Request.php
@ -34,7 +34,7 @@ class Request extends \think\Request
     * @var array
     */
    protected $except = ['menu_path', 'api_url', 'unique_auth',
-                         'description', 'custom_form', 'content', 'tableField', 'url', 'customCode'];
+        'description', 'custom_form', 'content', 'tableField', 'url', 'customCode', 'value', 'refund_reason_wap_img'];

    /**
     * 获取请求的数据
@ -83,8 +83,8 @@ class Request extends \think\Request
        $result = [];
        foreach ($array as $key => $value) {
            if (is_array($value)) {
-                // 如果值是数组，递归调用 filterArrayValues
-                $result[$key] = $this->filterArrayValues($value);
+                // 如果值是数组，并且不在不过滤变量名里面，递归调用 filterArrayValues，否则直接赋值
+                $result[$key] = in_array($key, $this->except) ? $value : $this->filterArrayValues($value);
            } else {
                if (in_array($key, $this->except) || is_int($value) || is_null($value)) {
                    $result[$key] = $value;
--- a/crmeb/app/adminapi/controller/v1/setting/SystemConfig.php
+++ b/crmeb/app/adminapi/controller/v1/setting/SystemConfig.php
@ -376,6 +376,9 @@ class SystemConfig extends AuthController
        if (isset($post['refund_time_available'])) {
            if (!ctype_digit($post['refund_time_available'])) return app('json')->fail('售后期限必须为大于0的整数');
        }
+        if (isset($post['param_filter_data'])) {
+            $post['param_filter_data'] = base64_encode($post['param_filter_data']);
+        }
        if (isset($post['sms_save_type']) && sys_config('sms_account', '') != '') return app('json')->success(100001);
        foreach ($post as $k => $v) {
            $config_one = $this->services->getOne(['menu_name' => $k]);
--- a/crmeb/app/common.php
+++ b/crmeb/app/common.php
@ -623,29 +623,7 @@ if (!function_exists('filter_str')) {
     */
    function filter_str($str)
    {
-        $rules = [
-            '/\.\./', // 禁用包含 ../ 的参数
-            '/\<\?/', // 禁止 php 脚本出现
-            '/\bor\b.*=.*/i', // 匹配 'or 1=1'，防止 SQL 注入（注意边界词 \b 和不区分大小写 i 修饰符）
-            '/(select[\s\S]*?)(from|limit)/i', // 防止 SQL 注入
-            '/(union[\s\S]*?select)/i', // 防止 SQL 注入
-            '/(having|updatexml|extractvalue)/i', // 防止 SQL 注入
-            '/sleep\((\s*)(\d*)(\s*)\)/i', // 防止 SQL 盲注
-            '/benchmark\((.*)\,(.*)\)/i', // 防止 SQL 盲注
-            '/base64_decode\(/i', // 防止 SQL 变种注入
-            '/(?:from\W+information_schema\W)/i', // 注意这里的 (?:...) 是不合法的，应该是 (?:...) 表示非捕获组，但通常我们不需要这个
-            '/(?:current_|user|database|schema|connection_id)\s*\(/i', // 防止 SQL 注入（注意去掉了不必要的 (?:...)）
-            '/(?:etc\/\W*passwd)/i', // 防止窥探 Linux 用户信息
-            '/into(\s+)(?:dump|out)file\s*/i', // 禁用 MySQL 导出函数
-            '/group\s+by.+\(/i', // 防止 SQL 注入
-            '/(?:define|eval|file_get_contents|include|require|require_once|shell_exec|phpinfo|system|passthru|preg_\w+|execute|echo|print|print_r|var_dump|(fp)open|alert|showmodaldialog)\(/i', // 禁用 webshell 相关某些函数
-            '/(gopher|doc|php|glob|file|phar|zlib|ftp|ldap|dict|ogg|data)\:\/\//i', // 防止一些协议攻击（注意协议后的三个斜杠）
-            '/\$_(GET|POST|COOKIE|FILES|SESSION|ENV|GLOBALS|SERVER)\[/i', // 禁用一些内置变量，注意 PHP 变量名通常是大写的
-            '/<(iframe|script|body|img|layer|div|meta|style|base|object|input)/i', // 防止 XSS 标签植入
-            '/(onmouseover|onerror|onload|onclick)\=/i', // 防止 XSS 事件植入
-            '/\|\|.*?(?:ls|pwd|whoami|ll|ifconfig|ipconfig|&&|chmod|cd|mkdir|rmdir|cp|mv)/i', // 防止执行 shell（注意去掉了不合适的 ifconfog）
-            '/\sand\s+.*=.*/i' // 匹配 and 1=1
-        ];
+        $rules = preg_split('/\r\n|\r|\n/', base64_decode(sys_config('param_filter_data')));
        if (filter_var($str, FILTER_VALIDATE_URL)) {
            $url = parse_url($str);
            if (!isset($url['scheme'])) return $str;
--- a/crmeb/app/services/system/config/SystemConfigServices.php
+++ b/crmeb/app/services/system/config/SystemConfigServices.php
@ -475,6 +475,9 @@ class SystemConfigServices extends BaseServices
    public function createTextareaForm(array $data)
    {
        $data['value'] = json_decode($data['value'], true) ?: '';
+        if ($data['menu_name'] == 'param_filter_data') {
+            $data['value'] = base64_decode($data['value']);
+        }
        $formbuider[] = $this->builder->textarea($data['menu_name'], $data['info'], $data['value'])->placeholder($data['desc'])->appendRule('suffix', [
            'type' => 'div',
            'class' => 'tips-info',
--- a/crmeb/public/install/crmeb.sql
+++ b/crmeb/public/install/crmeb.sql
@ -33810,7 +33810,8 @@ INSERT INTO `eb_system_config` (`id`, `menu_name`, `type`, `input_type`, `config
 (470, 'elec_invoice_cate', 'text', 'input', 18, '', 1, '', 100, 0, '\"0\"', '电子发票分类', '电子发票的商品分类', 0, 0),
 (471, 'elec_invoice_tax_rate', 'text', 'input', 18, '', 1, '', 100, 0, '\"0\"', '电子发票税率', '请填写电子发票的税率，填写0-100直接的整数，如：13%的税率请填写13', 0, 0),
 (472, 'elec_invoice_cate_name', 'text', 'input', 18, '', 1, '', 100, 0, '\"\"', '发票分类名称', '电子发票分类对应的名称，用于回显', 0, 0),
-(473, 'get_remote_login_url', 'text', 'input', 135, '', 1, '', 100, 0, '\"\"', '远程登录地址', '内嵌商城跳转h5页面链接携带（remote_token=远程用户生成的token）参数时，可自动登录商城，若remote_token为空的时候，本系统认定在外部系统中未登录，会跳转此地址进行登录', 0, 1);
+(473, 'get_remote_login_url', 'text', 'input', 135, '', 1, '', 100, 0, '\"\"', '远程登录地址', '内嵌商城跳转h5页面链接携带（remote_token=远程用户生成的token）参数时，可自动登录商城，若remote_token为空的时候，本系统认定在外部系统中未登录，会跳转此地址进行登录', 0, 1),
+(474, 'param_filter_data', 'textarea', 'input', 136, '', 1, '', 100, 5, '\"L1wuXC4vCi9cPFw\\/LwovXGJvclxiLio9LiovaQovKHNlbGVjdFtcc1xTXSo\\/KShmcm9tfGxpbWl0KS9pCi8odW5pb25bXHNcU10qP3NlbGVjdCkvaQovKGhhdmluZ3x1cGRhdGV4bWx8ZXh0cmFjdHZhbHVlKS9pCi9zbGVlcFwoKFxzKikoXGQqKShccyopXCkvaQovYmVuY2htYXJrXCgoLiopXCwoLiopXCkvaQovYmFzZTY0X2RlY29kZVwoL2kKLyg\\/OmZyb21cVytpbmZvcm1hdGlvbl9zY2hlbWFcVykvaQovKD86Y3VycmVudF98dXNlcnxkYXRhYmFzZXxzY2hlbWF8Y29ubmVjdGlvbl9pZClccypcKC9pCi8oPzpldGNcL1xXKnBhc3N3ZCkvaQovaW50byhccyspKD86ZHVtcHxvdXQpZmlsZVxzKi9pCi9ncm91cFxzK2J5LitcKC9pCi8oPzpkZWZpbmV8ZXZhbHxmaWxlX2dldF9jb250ZW50c3xpbmNsdWRlfHJlcXVpcmV8cmVxdWlyZV9vbmNlfHNoZWxsX2V4ZWN8cGhwaW5mb3xzeXN0ZW18cGFzc3RocnV8cHJlZ19cdyt8ZXhlY3V0ZXxlY2hvfHByaW50fHByaW50X3J8dmFyX2R1bXB8KGZwKW9wZW58YWxlcnR8c2hvd21vZGFsZGlhbG9nKVwoL2kKLyhnb3BoZXJ8ZG9jfHBocHxnbG9ifGZpbGV8cGhhcnx6bGlifGZ0cHxsZGFwfGRpY3R8b2dnfGRhdGEpXDpcL1wvL2kKL1wkXyhHRVR8UE9TVHxDT09LSUV8RklMRVN8U0VTU0lPTnxFTlZ8R0xPQkFMU3xTRVJWRVIpXFsvaQovPChpZnJhbWV8c2NyaXB0fGJvZHl8aW1nfGxheWVyfGRpdnxtZXRhfHN0eWxlfGJhc2V8b2JqZWN0fGlucHV0KS9pCi8ob25tb3VzZW92ZXJ8b25lcnJvcnxvbmxvYWR8b25jbGljaylcPS9pCi9cfFx8Lio\\/KD86bHN8cHdkfHdob2FtaXxsbHxpZmNvbmZpZ3xpcGNvbmZpZ3wmJnxjaG1vZHxjZHxta2RpcnxybWRpcnxjcHxtdikvaQovXHNhbmRccysuKj0uKi9p\"', '系统参数过滤', '系统参数过滤，过滤掉不需要的参数，多个参数用回车换行分隔', 0, 1);

 -- --------------------------------------------------------

@ -33911,7 +33912,8 @@ INSERT INTO `eb_system_config_tab` (`id`, `pid`, `title`, `eng_title`, `status`,
 (132, 7, '小程序配置', 'routine_config', 1, 0, '', 3, 0, 1007),
 (133, 7, '消息推送配置', 'routine_encoding', 1, 0, '', 3, 0, 1007),
 (134, 129, '模块配置', 'model_config', 0, 0, '', 0, 0, 23),
-(135, 129, '远程登录配置', 'remote_login', 1, 0, '', 0, 0, 23);
+(135, 129, '远程登录配置', 'remote_login', 1, 0, '', 0, 0, 23),
+(136, 129, '参数过滤配置', 'param_filter_config', 1, 0, '', 0, 0, 23);

 -- --------------------------------------------------------

@ -34640,8 +34642,7 @@ INSERT INTO `eb_system_file_info` (`id`, `name`, `path`, `full_path`, `type`, `c
 (561, 'listener', '/app', '/app/listener', 'dir', '2023-04-27 09:38:48', '2023-04-27 09:38:48', '事件'),
 (562, 'admin', '/app/listener', '/app/listener/admin', 'dir', '2023-04-27 09:38:48', '2023-04-27 09:38:48', '后台相关事件'),
 (563, 'AdminLoginListener.php', '/app/listener/admin', '/app/listener/admin/AdminLoginListener.php', 'file', '2023-04-27 09:38:48', '2023-04-27 09:38:48', '管理员登录事件'),
-(564, 'crontab', '/app/listener', '/app/listener/crontab', 'dir', '2023-04-27 09:38:48', '2023-04-27 09:38:48', '定时任务事件'),
-(565, 'SystemCrontabListener.php', '/app/listener/crontab', '/app/listener/crontab/SystemCrontabListener.php', 'file', '2023-04-27 09:38:48', '2023-04-27 09:38:48', '定时任务执行事件'),
+(564, 'crontab', '/app/listener', '/app/listener/crontab', 'dir', '2023-04-27 09:38:48', '2023-04-27 09:38:48', '定时任务事件')
 (566, 'filetree.txt', '/app/listener', '/app/listener/filetree.txt', 'file', '2023-04-27 09:38:48', '2023-04-27 09:38:48', ''),
 (567, 'http', '/app/listener', '/app/listener/http', 'dir', '2023-04-27 09:38:48', '2023-04-27 09:38:48', '请求事件'),
 (568, 'HttpEndListener.php', '/app/listener/http', '/app/listener/http/HttpEndListener.php', 'file', '2023-04-27 09:38:48', '2023-04-27 09:38:48', '请求日志记录事件'),
--- a/readme/pic/618.jpg
+++ b/readme/pic/618.jpg
--- a/readme/pic/联系我们.jpg
+++ b/readme/pic/联系我们.jpg
--- a/readme/宝塔快速安装说明.docx
+++ b/readme/宝塔快速安装说明.docx
--- a/安装必读.docx
+++ b/安装必读.docx